Cloud Assisted Miniport Hook Bypass

The toughest types of malware are rootkits. Rootkits embed themselves deep in the operating system where they hide for antivirus software. The longer a rootkit stays alive on a computer, the more profit the malware authors make because the computer is under their control.

Highly advanced rootkits like the TDSS family (TDL, Alureon.DX, Olmarik) and new variants of Mebroot and Sinowal work on both 32-bit and 64-bit versions of Windows and infect the Master Boot Record (MBR). This means that these so called Bootkits start before Windows boots up, which gives the bootkit an obvious advantage. Any protection mechanism imposed by Windows (or antivirus that is loaded by Windows) can be defeated (the program that is started first, can have control over the others).

Once Windows is booting, the rootkit attaches a filtering mechanism to the hard disk driver. This filter gives the rootkit complete control over the hard drive. For example, when an antivirus tries to read the MBR (sector 0) of the hard drive (to see if it is infected), the rootkit will simply serve a regular MBR so that it appears that the MBR is clean. Hence, the rootkit is undetected.

Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism.

For this you need to know two things:

  1. The hard disk miniport driver that is hooked (e.g. atapi.sys, iaStor.sys, nvstor32.sys, amdsata.sys, etc.)
  2. How the rootkit is hooking into it

When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.

The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.

Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

If you run Hitman Pro with Early Warning Scoring (a mode for experts) on a Mebroot infected system you can see Cloud Assisted Miniport Hook Bypass in action. If the yellow sticky mentions bypassed then Hitman Pro should be able to detect presence of the rootkit:

The yellow sticky only appears in Early Warning Scoring scan. In the Default Scan or Quick Scan the sticky is not displayed because non-expert users have no idea what a kernel-mode hook is. Of course, when an infected MBR is detected it is listed, regardless of the chosen scan.

Cloud Assisted Miniport Hook Bypass collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.

Available in Hitman Pro 3.5.9 (or newer).

Comments are closed.

%d bloggers like this: